Snort mailing list archives
RE: Portscan from own interface
From: "John Berkers" <berjo () ozemail com au>
Date: Wed, 16 May 2001 22:48:02 +1000
Depending on the type of firewall being used, and whether it proxies HTTP traffic, traffic that is passing through the firewall may in fact look like it is originating at the firewall. As for anti-spoofing, this again depends on your firewall software. In firewall-1 you need to edit the network object in question (a firewall), and specify valid addresses for each of the interfaces. There is a standard set of choices: All, Other, Other + Specify extra, selected addresses. Other actually refers to addresses on the other interfaces, eg. you should not expect to see traffic that belongs on the network of interface 1 on the network connected to interface 2. Have a look through your firewall documentation for more information. If you are trying to set up anti-spoofing on a Linux box, using IPChains or IPTables the simplest thing would be to drop all traffic on eth0 that should only be arriving on eth1 and vice versa. Hope I didn't lose anyone there. John -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Subba Rao Sent: Wednesday, 16 May 2001 15:38 To: Midnight shadow Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Portscan from own interface On 0, Midnight shadow <p.selder () freeler nl> wrote:
I noticed someting stange in the snort-log file. I got a portscan from the external interface from my firewall. Normally the offending hosts is
logged,
but now my external ip is listed. What can be the cause? Spoofing of some kind? The next line are only a few from the messages log. May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1) May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1) May 10 09:01:15 proxy last message repeated 2 times x.x.x.x is the ip of the external interface. I'm running snort 1.8 beta on redhat 7.0 i386
I am seeing similar messages in my snort logs. I hope it is only spoofing and not that my machine has been compromised. [**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/16-05:19:37.397711 How can I set up anti-spoofing controls on my machine? TIA. -- Subba Rao subba9 () home com http://members.home.net/subba9/ GPG public key ID 27FC9217 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan from own interface Midnight shadow (May 10)
- RE: Portscan from own interface Fernando Cardoso (May 10)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- RE: Portscan from own interface John Berkers (May 16)